blackshell tool1: SSHD vulnerability scanner

From: blackshellat_private
Date: Mon Dec 31 2001 - 21:12:53 PST 

-----BEGIN PGP SIGNED MESSAGE-----


this tool is for the purpose of professional security people testing their own private/corporate networks. under no circumstances is the blackshell team repsonsible for any misuse of this.

#!/usr/bin/perl -w

#--blackshell tool1--#
#--blackshell-sshd.pl--#

# this is a mass scanner for remote security testing
# of networks for the ssh crc32(deattack) bug.
# this is being exploited in the wild at the present time
# and it leads to complete remote compromisation
# of a vulnerable server

# vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes)

# a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors

use Thread;
use Strict;
use Socket;
use Getopt::Std;
use Config;

my $banner = qq(
Mass SSHD Vulnerability Scanner
by BlackShell
blackshellat_private
);

$exploit_information = qq(

Advisories:

http://www.securityfocus.com/advisories/3088
http://xforce.iss.net/alerts/advise100.php
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://www.securityfocus.com/bugid=2347
http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
http://openssh.org/security.html
http://www.cisco.com/warp/public/707/SSH-multiple-pub.html


Information:

http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1
http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
http://www.newsbytes.com/news/01/171291.html
http://www.cert.org/incident_notes/IN-2001-12.html


Incidents:

http://archives.neohapsis.com/archives/incidents/2001-12/0009.html
http://archives.neohapsis.com/archives/incidents/2001-12/0047.html
http://archives.neohapsis.com/archives/incidents/2001-12/0102.html
http://archives.neohapsis.com/archives/incidents/2001-12/0103.html
http://archives.neohapsis.com/archives/incidents/2001-12/0189.html
http://archives.neohapsis.com/archives/incidents/2001-12/0225.html
http://archives.neohapsis.com/archives/incidents/2001-12/0240.html

);


# borrowed from dave's code(thanks :>)

my @affected = (
'SSH-1.5-1.2.24',
'SSH-1.5-1.2.25',
'SSH-1.5-1.2.26',
'SSH-1.5-1.2.27',
'SSH-1.5-1.2.28',
'SSH-1.5-1.2.29',
'SSH-1.5-1.2.30',
'SSH-1.5-1.2.31',
'SSH-1.5-OpenSSH-1.2',
'SSH-1.5-OpenSSH-1.2.1',
'SSH-1.5-OpenSSH-1.2.2',
'SSH-1.5-OpenSSH-1.2.3',
'SSH-1.99-OpenSSH-2.1',
'SSH-1.99-OpenSSH_2.1.1',
'SSH-1.99-OpenSSH_2.2.0',
'SSH-1.99-OpenSSH_2.2.0p1',
);




if(! $Config{'usethreads'})
{
	print "\nNo Threading Supported";
	exit 1;
}

getopts("d:t:l:i:",%args);

my $debug;


		if($args{i})
		{
		my $infile = $args{i} || sshd.in;
		print "\nUsing infile: $infile";
		}
		elsif($args{d})
		{
			$debug = 1;
			print "\nUsing Debuging!";
		}
		elsif($args{t})
		{
			my $timeout = $args{t} || 5;
			print "\nUsing Timeout: $args{t}!";
		}
		elsif($args{l})
		{
			my $logfile = $args{l};
			print "\nUsing logfile: $logfile";
		}

		open(FILE,"<$infile") || die "\nCant read from $logfile";

		while(<>)
		{
			chomp($host = $_);
			print "\nScanning $host...";

			my $thread = Thread->new(\&check_scan,$host);
			print "\nScanning $host...";
			my @return = $thread->join;
		}
			if($debug)
			{
				my $check;
				foreach $check (@return)
				{
					print "\nDebugging running....";
					print "\n$debug info...:";
					print "\n$check";
				}

					}else{

					print "\n\n$banner\n";
					print "\n\nOptions: ";
					print "\n./$0 -i <INFILE> -l <LOGFILE> -d -t 15";
					print "\n
					print "\ndefaults: ";
					print "\ntimeout: 5";
					print "\nhost list: sshd.in";
					print "\nlogfile: sshd.log";
					print "\ndebug: no";
					}

			}
	}

sub check_scan ($)
{

	eval {

	my $host = shift;
	my $iaddr = inet_aton($host);
	my $port = "22";

		my $paddr = sockaddr_in($port, $host);
		my $proto = getprotobyname('tcp');
		socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!";
		alarm($args{t});
		if(connect(SOCK,$paddr))
		{
			print "\nSSHD is open on $host";
			print "\n${host}'s response...";
		}
			while(<SOCK>)
			{
				chomp;
				print;
				$response = $_;
				&log($host, $response);
				print "\analyzing ${host}'s response...";
				&analyze($host, $response);
			}

		}

			close(SOCK);
	}



sub log ($$)
{

	open(LOG,">$logfile") || die "\nCant open $logfile for writing";

	select(LOG);
	print "\n$banner\n";
	print "\n$exploit_information"
	close(LOG);

	$host = shift;
	$rez = shift;

		open(LOG,">>$logfile") || die "\nCant open $logfile";
		flock(LOG,2) || die "\nCant file lock";
		select(LOG);

			print "\nResults:";
			print "\n${host}: $rez";
			print "\n\nFinished...\n";

	close(LOG);

}



sun analyze ($$)
{

	$host = shift;
	$result = shift;

	foreach $checkz (@affected))
	{
		if($result = $checkz)
		{
			print "\n$host is running a vulnerable version of SSHD";
			print "\nversion is: $result";
		}
	}
}
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjwxR+IYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
G+kAoIRsS/BUmFjmlsdgNHSKWW2elojfAJ9ItUcz9Ao1dpbbkzuf184f1RJnNg==
=Z/EV
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

This archive was generated by hypermail 2b30 : Tue Jan 01 2002 - 15:12:08 PST